It appears that your router is sending SNMP traps (UDP port 162) to your PC.
This means that your router has been configured to send SNMP traps to your
PC. You should be able to change this in the router - probably under a
section called "manage" or "monitor".

Omar

|-----Original Message-----
|From: Preston, Tony [mailto:Tony.Preston@acs-inc.com]
|Sent: Friday, October 31, 2003 8:56 AM
|To: 'security-basics@securityfocus.com'
|Subject: Home firewall Hits
|
|I am hoping someone here can explain what I am seeing on my
|home network.
|I use Kerio's tiny personal firewall and Windows ME. I have
|everything up to date with the latest patches.
|
|This is my home network and something strange is happening.
|The configurations is
|
|
| [cable modem] <----> [ Linksys Wireless Router] ~~~ [
|Windows ME W/ firewall ]
|
|
|From reading the firewall log, I would think that my router is
|continuously hitting Port 162 with a UDP message. The odd
|thing is that it is doing this by using an incrementing port
|from 192.168.1.1, I see many of these every day, it is continuous.
|
|I have the latest firmware from linksys, the firewall is
|rejecting all the packets.
|
|While I am an experienced programmer, I do not have alot of
|network experience, probably I would classify myself as
|knowing enough to be dangerous...:)
|
|The activity is at a moderate rate from a couple per second to
|one every 20 seconds. If it is some sort of attack attempt it
|is using a randomized delay between packets.
|
|Here is a summary of the hits.
|
|[30/Oct/2003 23:53:48] Rule 'Packet to unopened port
|received': Blocked: In UDP,
| 192.168.1.1:40826->localhost:162, Owner: no owner
| thru
| 192.168.1.1:40899->localhost:162, Owner: no owner
|
|
|I do see other "hits" which are much less frequent which are
|an occasional
|hit here or
|there, I am not as concerned about these, but would be curious
|if anyone has
|ideas about
|why they occur. The first one, I might see one or two a day.
| The second
|one would
|show up in sets of 5-10, maybe a couple of times a day.
|
|[30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP,
| 207.46.197.121:80->localhost:1452, Owner: no owner
|
|[31/Oct/2003 00:00:02] Rule 'Packet to unopened port
|received': Blocked: In
|UDP,
| 0.0.0.0:68->localhost:67, Owner: no owner
|
|Anything here I should be concerned with??
|
|I am hoping someone here can explain what I am seeing on my
|home network.
|I use Kerio's tiny personal firewall and Windows ME. I have
|everything up
|to date with the latest patches.
|
|The configurations is:
|
| [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/
|firewall ]
|
|
|From reading the firewall log, I would think that my router is
|continuously
|hitting
|Port 162 with a UDP message. The odd thing is that it is
|doing this by
|using an
|incrementing port from 192.168.1.1, I see many of these every
|day, it is
|continuous.
|
|I have the latest firmware from linksys, the firewall is
|rejecting all the
|packets.
|
|While I am an experienced programmer, I do not have alot of network
|experience, probably
|I would classify myself as knowing enough to be dangerous...:)
|
|The activity is at a moderate rate from a couple per second to
|one every 20
|seconds. If it
|is some sort of attack attempt it is using a randomized delay between
|packets.
|
|Here is a summary of the hits.
|
|[30/Oct/2003 23:53:48] Rule 'Packet to unopened port
|received': Blocked: In
|UDP,
| 192.168.1.1:40826->localhost:162, Owner: no owner
| thru
| 192.168.1.1:40899->localhost:162, Owner: no owner
|
|
|I do see other "hits" which are much less frequent which are
|an occasional
|hit here or
|there, I am not as concerned about these, but would be curious
|if anyone has
|ideas about
|why they occur. The first one, I might see one or two a day.
| The second
|one would
|show up in sets of 5-10, maybe a couple of times a day.
|
|[30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP,
| 207.46.197.121:80->localhost:1452, Owner: no owner
|
|[31/Oct/2003 00:00:02] Rule 'Packet to unopened port
|received': Blocked: In
|UDP,
| 0.0.0.0:68->localhost:67, Owner: no owner
|
|Anything here I should be concerned with??
|
|
|
|---------------------------------------------------------------
|------------
|Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
|The Presidio integrates PGP data encryption and XML Web
|Services security to
|simplify the management and deployment of PGP and reduce
|overall PGP costs
|by up to 80%.
|FREE WHITEPAPER & 30 Day Trial -
|http://www.securityfocus.com/sponsor/ForumSystems_security-basi
|cs_031027
|---------------------------------------------------------------
|-------------
|

Relevant Pages

Re: blocking incoming udp packets... It seems the router is sending udp packets to 255.255.255.255 (both ...UDP 162 is the SNMP trap port.... The RIP disabling was easy to do, and that has stopped the traffic on ...(comp.security.firewalls)

Re: blocking incoming udp packets... It seems the router is sending udp packets to 255.255.255.255 (both ...UDP 162 is the SNMP trap port.... The RIP disabling was easy to do, and that has stopped the traffic on ...(comp.security.firewalls)

Re: New experience for me...... Many of these unsolicited messages come in through port 135 UDP.... your router, its configuration, and/or the configuration of your computers.... For example Is your router set to allow WAN requests? ...(comp.security.firewalls)

Re: blocking incoming udp packets... It seems the router is sending udp packets to 255.255.255.255 (both ...UDP 162 is the SNMP trap port.... The RIP disabling was easy to do, and that has stopped the traffic on ...(comp.security.firewalls)

Re: Routing and Remote Service Issue... If you are connecting using L2TP, then you need to open up ports UDP 1701, ...UDP 500 and UDP 4500. ... Am I missing a port here that I need to open on the router?...(microsoft.public.isa.vpn)